Machine to Machine (M2M) devices are often numerous, hard-to-reach, and have constrained capabilities (owing to low cost, small size, low processing power or limited battery life). All of this makes their management, often remote, very complicated. Moreover, M2M devices often need to be managed in a secure manner. For example, they may contain information that is commercially sensitive and/or confidential for the one or more entities that manage and/or own said devices. There is a need to remotely manage and communicate with them in a secure way, while respecting these constraints.
One approach is to provide M2M devices with PKI keys for use in securing communications with a server or device manager. However, this increases complexity and requires such the maintenance of such a provisioning system.
Another approach is to use cryptographic material derived from an underlying key. However, if this key is ever compromised then an eavesdropper who has recorded previous communications can then decrypt these earlier messages.
Therefore, there is required a system and method that allows the M2M devices to communicate more reliably and more securely.
Details of 3GPP Standards and Technologies Used to Implement Aspects of the Method and System
One of these architectures of 3GPP is a Generic Authentication Architecture (GAA), which is a complex of standards which is described, for example, in 3GPP TS 33.919 (entitled “3G Security; Generic Authentication Architecture (GAA); System description”, currently it may be retrieved at http://www.3gpp.org/ftp/Specs/html-info/33919.htm).
Generic Bootstrapping Architecture (GBA) is a 3GPP standard defined in 3GPP TS 33.220 (entitled “Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA)”, it could be currently retrieved at http://www.3gpp.org/ftp/specs/html-info/33220.htm). GBA is part of the complex of standards called GAA (see above).
GBA is a standard which enables a shared secret to be derived (bootstrapped) from the existing security association between a mobile network and a SIM card. This involves a network element called a Bootstrapping Server Function (BSF). In other words, GBA leverages the security of a SIM card (UICC) to authenticate mobile equipment, and then derive key material for general-purpose applications.
GBA may be advantageously used to provide high-security to the communication between a client and the server, thus allowing remotely managing, controlling and, in general, communicating with a device in a high security manner. In particular, GBA (or a GBA-like architecture) is used for enabling a secure communication with the device (which, according to an aspect of the present disclosure, may be an M2M device), said communication being between a server and a client, the client being associated with the device, and wherein this communication is done for managing the device and/or services provided by (or via) the device, thus enabling a secure management of that device and/or the services provided by (or via) the device. In this way, the device and/or the services provided by (or via) the device can be safely, securely and efficiently managed in a remote manner via a remote server.
GBA has been developed mainly for securing mobile broadcast (e.g. pay TV and equivalents). Indeed, standards for Multimedia Broadcast Multicast Service (MBMS) rely on GBA. Similarly, Open Mobile Alliance (OMA) Mobile Broadcast Services Enabler Suite (BOAST) smartcard profile relies on GBA. To date, most of the limited number of deployments of GBA in the world has been for mobile broadcast. GBA has also been standardised as an optional feature in conjunction with presence services, and within miscellaneous “federated identity” services (e.g. Liberty Alliance, OpenID). In general, it is understood that GBA has been designed for use with mobile devices, such as mobile phones, laptop, computers, and many of the designed features have been provisioned with this in mind.
A variant of GBA, called “GBA Push”, has been proposed for securing a message between a client and a DM server in the context of OMA Device Management Security. The OMA Device Management is specifically designed for management of mobile devices such as mobile phones, tablet, computers, etc.
A different recent standard document (TS 102 690) merely mentions, in the context of M2M communications, the use of a standard GBA to secure communications between a device/gateway service layer and a network service layer.
There are some alternatives for identifying/authenticating a mobile user/device to a service. All of these alternatives are simpler than using GBA. For example, mobile operators and service providers can use WAP header enrichment.
Alternatively, the service provider can request the user to enter their phone number, send an SMS one-time password to that phone number, and ask the user to read the SMS and enter the password. These alternatives all work well with mobile devices and operators already, so service providers use them, although they are not as secure as GBA.
Additionally, many service providers prefer to offer services to a huge range of mobile devices, many of which do not contain a SIM card (e.g. PCs, laptops, Wi-fi-only tablets etc.). Since GBA relies on a SIM card/UICC in order to work, there has been no interest in using it.
Strong security is not possible with current alternatives such as a user-entered PIN or a bootstrapping message delivered by an SMS. These alternatives would either not be feasible or they would not provide the required level of security. First, there might not be a user around to enter a PIN (as most M2M devices operate independently from human intervention). Second, the service provider may be likely to want strong security (e.g. because M2M devices may include critical infrastructure), whereas PIN-based bootstrapping has weaker security. Third, if a PIN or SMS-based bootstrapping goes wrong (server connects to wrong client, client connects to wrong server, or there is a Man-In-The-Middle), then the user is likely to notice, complain and get it fixed, whereas an M2M device is unlikely to notice and complain, so may be permanently compromised. Neither is particularly practical by way of existing methods. For example, the OMA Device Management uses GBA Push for securing a message between a client and a DM server, and there is no explanation of how a similar architecture could be used or even modified for managing the device. Moreover, as mentioned above, the OMA Device Management is not compatible for use with an M2M device, as discussed above. This is particularly true for low cost, simple M2M devices, such as simple sensors, switches, low cost trackers etc. Further, the standard document mentioned above uses a standard GBA to secure communications between a device/gateway service layer and a network service layer. Thus, the communication is not used for device/service management-related communications, and it is not clear, based on the observations made above, how a similar architecture could be used or even modified for managing the device from the server. Moreover, for the reasons mentioned above, the OMA Device Management and the standard document are incompatible, and a combination of the GBA Push for OMA Device Management with the standard document is not feasible, as it would result in the wrong device management protocol (i.e. one that is not suitable for M2M devices, particularly simple M2M devices), and some very laborious effort to make the two compatible and delete the elements which are redundant.
The OMA has defined a lightweight protocol for managing (as well as interacting with) M2M devices and managing services provided by M2M devices (e.g. remote control of attached sensors or machines). This protocol is called LWM2M, which is described in detail at http://technical.openmobilealliance.org/Technical/release_program/lightweightM2M_v1_0.a spx
This protocol runs over the CoAP protocol (analogous to http)—more specifically CoAP over DTLS (coaps) which is analogous to http over TLS (https). However, coaps requires a secure association to be provisioned between a device and a network server (DM Server) while providing no strong means to provision such an association from scratch.
A security aspect of OMA LWM2M is defined in Lightweight Machine to Machine Technical Specification Candidate Version 1.0—10 Dec. 2013 (OMA-TS-LightweightM2M-V1_0-20131210-C).
In addition, there exists two protocols, the first one called DTLS defined in RFC 6347 (entitled “Datagram Transport Layer Security Version 1.2”; it could be currently retrieved at http://tools.ietf.org/html/rfc6347); the second one called CoAP defined in draft-ietf-core-coap-18 (entitled “Constrained Application Protocol (CoAP)”; it could be currently retrieved at http://datatracker.ietf.org/doc/draft-ietf-core-coap/). Both protocols are currently used in LWM2M. CoAP is still only an IETF draft (not a full RFC), and DTLS version 1.2 is also comparatively new (January 2012): versions of TLS have often existed as RFCs for several years before receiving widespread adoption.
The User Datagram Protocol (UDP) channel security for [COAP] is defined by the Datagram Transport Layer Security (DTLS) [RFC6347], which is the equivalent of TLS v1.2 [RFC5246] for HTTP and utilizes a subset of the Cipher Suites defined in TLS. (Refers to TLS Cipher Suite registry http://www.iana.org/assignments/tls-parameters/tls-parameters.xml) The DTLS binding for CoAP is defined in Section 9 of [CoAP]. DTLS is a long-lived session based security solution for UDP. It provides a secure handshake with session key generation, mutual authentication, data integrity and confidentiality.
The keying material used to secure the exchange of information within a DTLS session may be obtained using one of the bootstrap modes defined in Section 5.1.2 Bootstrap Modes of OMA LWM2M. The formats of the keying material carried in the LWM2M Security Object Instances are defined in Appendix E.1.1.
There also exists an authentication protocol HTTP Digest authentication, which is defined in RFC 3310 (entitled “Hypertext Transfer protocol (HTTP) Digest Authentication using Authentication and Key Agreement (AKA)”, it can currently be retrieved at http://www.ietf.org/rfc/rfc3310.txt).
The GAA cluster of specifications TS 33.222 (entitled “Generic Authentication Architecture (GAA); Access to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS)”) defines a general approach for pre-shared key TLS (TLS-PSK, RFC 4279). This can currently be retrieved at http://www.3gpp.org/ftp/Specs/html-info/33222.htm). For example, see especially Section 5.4.
In particular, with reference to GBA, 3GPP Specification TS 33.220 defines the components and interfaces that are shown in FIG. 1. These are further described as:
NAF 122, the “Network Application Function” is a server-side component of an application that will be secured using GBA.
BSF, “Bootstrapping Server Function”, 130 is a server-side component, which obtains authentication vectors from the HLR/HSS 140, and sends a challenge to the mobile device, “UE”, 110 during the GBA protocol. On successful authentication, it derives the shared secret.
HLR/HSS 140, the “Home Location Register” or “Home Subscriber System”, is the existing 3GPP system which stores subscription details and credentials (the K and IMSI) for each SIM card (UICC) issued by a mobile operator. It may be
“GBA-aware” (so that it stores details for a GBA user subscription) or may be a legacy component.
UE, the “User Equipment”, 110 is a mobile device containing a SIM card (UICC). The UE 110 supports a client application which communicates with the NAF 122, as well as a service which interfaces to the UICC, communicates with the BSF 130, and derives the shared secret before passing it to the client application. This service is (somewhat confusingly) called a “GAA Server” in TR 33.905 (entitled “Recommendations for Trusted Open Platforms”, it can currently be retrieved at http://www.3gpp.org/ftp/specs/htmlinfo/33905.htm).
Ua 150 is the interface between the Mobile Device (UE) 110 and the Network Application Function (NAF) 120.
Ub 160 is the interface between the Mobile Device (UE) 110 and the Bootstrapping Server Function (BSF) 130. This is specified in detail in TS 24.109 (entitled “Bootstrapping interface (Ub) 160 and network application function interface (Ua) 150; Protocol details”, it can currently be retrieved at http://www.3gpp.org/ftp/Specs/html-info/24109.htm).
Zh/Zh′ 180 is the interface between the BSF 130 and the HSS or HLR 140. The Zh 180 interface is used with an HSS 140 that is “GBA Aware”. The Zh′ 180 interface is used with a legacy HLR or HSS 140. The Zh and Zh′ 180 interfaces are specified in detail in TS 29.109 (entitled “Generic Authentication Architecture (GAA); Zh and Zn Interfaces based on Diameter protocol; Stage 3”, it can currently be retrieved at http://www.3gpp.org/ftp/Specs/html-info/29109.htm) and TS 29.229 (entitled “Cx and Dx interfaces based on the Diameter protocol; protocol details”, it can currently be retrieved at http://www.3gpp.org/ftp/Specs/html-info/29229.htm).
Zn 170 is the interface between the NAF 122 and the BSF 130: this can use either a Web Services protocol (SOAP over http) or the Diameter protocol (RFC 3588). This is specified in detail in TS 29.109 (see above).
There are a few other components and interfaces defined within the GAA standards, but these are not described in detail here.
There are several different versions of GBA defined in the standards. The flavours of GBA may include GBA-ME, GBA-U, GBA-SIM etc. The version called “GBA-ME” may require no special customizations of the UICC, except that the UICC does contain a 3G SIM (a USIM). However, other versions may be used. There may be a need to use the 2G variant of GBA (using a SIM rather than a USIM).